[Bug 1859422] Re: security: default ownership and permissions

Corey Bryant 1859422 at bugs.launchpad.net
Tue Jun 2 18:50:58 UTC 2020 

for panko ^

** Description changed:

+ [Impact]
  Package should security directories and files as below:
  
    chown <pkg>:adm /var/log/<pkg>
    chmod 0750 /var/log/<pkg>
  
    find /etc/<pkg> -exec chown root:<pkg> "{}" +
    find /etc/<pkg> -type f -exec chmod 0640 "{}" + -o -type d -exec chmod 0750 "{}" +
  
    # Optional rootwrap.d configuration files.
    find /etc/<pkg>/rootwrap.d -exec chown root:root "{}" +
    find /etc/<pkg>/rootwrap.d -type f -exec chmod 0644 "{}" + -o -type d -exec chmod 0755 "{}" +
  
-   find /var/lib/<pkg> -exec chown <pkg>:<pkg> "{}" +
-   find /var/lib/<pkg> -type f -exec chmod 0640 "{}" + -o -type d -exec chmod 0750 "{}" +
+   find /var/lib/<pkg> -exec chown <pkg>:<pkg> "{}" +
+   find /var/lib/<pkg> -type f -exec chmod 0640 "{}" + -o -type d -exec chmod 0750 "{}" +
  
  For keystone, /etc/ files/directories should be owned by
  keystone:keystone: https://docs.openstack.org/security-
  guide/identity/checklist.html
+ 
+ [Test Case]
+ Regression testing via juju deployed openstack + tempest or autopkgtests for uncharmed projects.
+ 
+ [Regression Potential]
+ Low, the same pattern has been used across all affected openstack packages. The changes landed in focal-proposed packages earlier in the cycle for OpenStack and has received a lot of testing.

-- 
You received this bug notification because you are a member of Ubuntu
OpenStack, which is subscribed to ironic in Ubuntu.
https://bugs.launchpad.net/bugs/1859422

Title:
  security: default ownership and permissions

Status in aodh package in Ubuntu:
  Fix Released
Status in barbican package in Ubuntu:
  Fix Released
Status in cinder package in Ubuntu:
  Fix Released
Status in designate package in Ubuntu:
  Fix Released
Status in glance package in Ubuntu:
  Fix Released
Status in gnocchi package in Ubuntu:
  Fix Released
Status in heat package in Ubuntu:
  Fix Released
Status in ironic package in Ubuntu:
  Fix Released
Status in ironic-inspector package in Ubuntu:
  Fix Released
Status in keystone package in Ubuntu:
  Fix Released
Status in magnum package in Ubuntu:
  Fix Released
Status in manila package in Ubuntu:
  Fix Released
Status in masakari package in Ubuntu:
  Fix Released
Status in masakari-monitors package in Ubuntu:
  Fix Released
Status in mistral package in Ubuntu:
  Fix Released
Status in murano package in Ubuntu:
  Fix Released
Status in murano-agent package in Ubuntu:
  Fix Released
Status in neutron package in Ubuntu:
  Fix Released
Status in nova package in Ubuntu:
  Fix Released
Status in octavia package in Ubuntu:
  Fix Released
Status in openstack-trove package in Ubuntu:
  Fix Released
Status in placement package in Ubuntu:
  Fix Released
Status in python-glance-store package in Ubuntu:
  Fix Released
Status in sahara package in Ubuntu:
  Fix Released
Status in senlin package in Ubuntu:
  Triaged
Status in swift package in Ubuntu:
  Fix Released
Status in watcher package in Ubuntu:
  Fix Released
Status in zaqar package in Ubuntu:
  Fix Released
Status in zvmcloudconnector package in Ubuntu:
  Fix Released
Status in placement source package in Focal:
  Fix Committed

Bug description:
  [Impact]
  Package should security directories and files as below:

    chown <pkg>:adm /var/log/<pkg>
    chmod 0750 /var/log/<pkg>

    find /etc/<pkg> -exec chown root:<pkg> "{}" +
    find /etc/<pkg> -type f -exec chmod 0640 "{}" + -o -type d -exec chmod 0750 "{}" +

    # Optional rootwrap.d configuration files.
    find /etc/<pkg>/rootwrap.d -exec chown root:root "{}" +
    find /etc/<pkg>/rootwrap.d -type f -exec chmod 0644 "{}" + -o -type d -exec chmod 0755 "{}" +

    find /var/lib/<pkg> -exec chown <pkg>:<pkg> "{}" +
    find /var/lib/<pkg> -type f -exec chmod 0640 "{}" + -o -type d -exec chmod 0750 "{}" +

  For keystone, /etc/ files/directories should be owned by
  keystone:keystone: https://docs.openstack.org/security-
  guide/identity/checklist.html

  [Test Case]
  Regression testing via juju deployed openstack + tempest or autopkgtests for uncharmed projects.

  [Regression Potential]
  Low, the same pattern has been used across all affected openstack packages. The changes landed in focal-proposed packages earlier in the cycle for OpenStack and has received a lot of testing.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/aodh/+bug/1859422/+subscriptions

More information about the Ubuntu-openstack-bugs mailing list